7.
The Shadow Internet Economy
Maksym Schipka, Senior Architect at MessageLabs
“For as little as $250 you can buy a custom written malware and for an
extra $25 a month you can subscribe to updates that will ensure that your
malware evades detection.”
“The vast majority of malware authors (viruses, trojans, spyware) do not
distribute it themselves. In fact, they make great play of offering their
software ‘for educational purposes only’ in the hope that this offers some
immunity from prosecution.”
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

9.
Heartland called U.S. Secret Service and hired two breach forensics teams
to investigate. Robert Baldwin, Heartland's President and chief financial
Robert Baldwin, Heartland's President and chief financial
officer said it wasn't until mid January that investigators uncovered the
said it wasn't until mid January that investigators uncovered the
source of the breach:
A piece of malicious software planted on the company's payment
malicious software planted on the company's payment
processing network that recorded payment card data as it was being sent
for processing to Heartland by thousands of the company's retail clients.
Heartland does not know how long the malicious software was in place,
how it got there or how many accounts may have been compromised. The
stolen data includes names, credit and debit card numbers and expiration
dates.
quot;The transactional data crossing our platform, in terms of magnitude... is
about 100 million transactions a month,quot; Baldwin said. quot;At this point,
though, we don't know the magnitude of what was grabbed.”
though, we don't know the magnitude of what was grabbed.”
Source: Washington Post.com

10.
RBS WorldPay, formerly RBS Lynk, is the United States­based payment­
RBS WorldPay, formerly RBS Lynk, is the United States
processing arm of The Royal Bank of Scotland Group
Royal Bank of Scotland Group. RBS announced
in December 2008 that an unauthorized party had improperly accessed
that an unauthorized party had improperly accessed
the company's computer system.
Compromised prepaid cards included 1.5 million payroll and open­loop gift
Compromised prepaid cards included
cards, approximately 100 of which had experienced actual fraud,
according to an RBS statement. The bank says hackers also may have
statement. The bank says hackers also may have
accessed the Social Security numbers of approximately 1.1 million
individuals. An RBS WorldPay spokesperson says no identity theft has
WorldPay spokesperson says no identity theft has
been reported on individuals whose personal information was
compromised in the breach. Neither the RBS spokesperson nor Ross
compromised in the breach. Neither the
would confirm media estimates of the amount of fraud committed on the
would confirm media estimates of the amount of fraud committed on the
payroll cards.
Source: Cardline Global

11.
KYE ­ Know Your Enemy
Excerpts from Interview with a Professional Phisher
Ø Started at age 14. Now 19
Ø >20 million identities phished so far via social networking worms
Ø Works 3­4 days a week
Ø Uses web software programme called MyOwnChanger.com
Ø Low entry costs ­ VPN’s, dedicated servers, proxies and network traffic is
VPN’s, dedicated servers, proxies and network traffic is
encrypted. All payments are made through eGold.
Ø Anti phishing deterrents in Explorer 7 and Firefox 2 cause slowdowns but
it makes phishers more “motivated”
Ø “Lazy web developers are the reason I’m still
Lazy web developers are the reason I’m still around phishing”
Source: http://ha.ckers.org/blog/20070508/phishing­social
social­networking­sites

12.
KYE – Know Your Enemy
Excerpts from Interview with a Professional Phisher
“Social networking sites, make me $500 to 1k through CPA deals. 5 times
out of 10 the person uses the same password for their email account.
Now depending what is inside their email inbox determines how much
more profit I make. If an email account has one of the following
paypal/egold/rapidshare/ebay accounts even the email account itself, I
sell those to scammers ($5 /pswd). All in all, I make 3k to 4k a day. I
only phish 3­4 days a week. Depends on how much time I invest. The
4 days a week. Depends on how much time I invest. The
more time I invest the greater the outcome.”
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

13.
The Bank of Bermuda email domain was hijacked
The Bank of Bermuda email domain was hijacked
This is a phishing email
Copyright First Atlantic Commerce
Ltd 2009

14.
Highjacked URL from
Jliangpartnership.co.uk
Copyright year is different
This is the Phished site
Copyright First Atlantic Commerce
Ltd 2009

15.
This is the real web site
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

16.
KYE – Know Your Enemy
Ø The Anti Phishing Network Group is dedicated to wiping out Internet
scams and fraud;
Ø The site contains detailed global information on reports of phishing scams.
http://www.apwg.org
Ø They work along side another site called Millers Miles in the UK that tracks
online phishing email scams and web sites.
http://www.millersmiles.co.uk
Ø Millers Miles has over 1,490,599 phishing scams in their database
Ø This information is public available for all merchants to reference
Ø Much of the world’s phishing is isolated to specific geographies including
Eastern Europe, Russia, China and the USA
Ø Most targeted industries: Financial Services 52%; Payment Services
18%; Auctions 25%; Retail 1%
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

17.
Current Trends in Phishing
Anti Phishing Network Group 2008
Statistics April May June
Number of unique phishing emails rec'd by
APWG from consumers 24,924 23,762 28,151
Number of unique phishing web sites
detected 20,410 20,317 18,509
Number of brands hijacked by Phishers 276 294 227
Country hosting the most phishing
websites CHINA Turkey USA
Contain some form of target name in the
URL 28.30% 23.20% 26.10%
Longest time online for Phished site 30 days 31 days 30 days
Source:www.apwg.org

19.
Current Trends in Phishing
Ø Phishing based trojans are ‘crimeware’ which is designed with the intent
on redirecting end­users network traffic to a location where it was not
users network traffic to a location where it was not
intended to go;
Ø This includes crimeware that changes DNS­specific information and
This includes crimeware that changes DNS
automatically redirects browsers to a fraudulent web site;
Ø The USA and China host the highest percentage of either phishing­based
The USA and China host the highest percentage of either phishing
keyloggers or trojan downloads in Q2 2008
Ø Phishing Activity Trends Report Q2 2008:
April May June
USA 38.67% 32.12% 30.98%
China 9.68% 28.67% 24.95%
Russia 8.23% 6.06% 5.74%
Republic of
Korea 3.81% 2.18% 2.17%

25.
Current Trends in Online Fraud
Ø Since 2000 the percent of online revenues lost to payment fraud has been
slowly declining from 3.6% in 2000 to 1.8% in 2004 to 1.4% in 2008;
Ø th
2009 CyberSource 10 Annual Online Fraud Report estimates that $4
billion in online revenues was lost to
to online fraud (North America region) –
down from $5.5 billion in 2007.
Ø Chargebacks understate true fraud losses by as much as 50%. The
remainder occurs when merchants issue refunds in response to a
consumer’s claim of fraudulent account
account use.
Ø International transactions have a 3
3.5% higher risk factor than domestic
transactions resulting in rejection of international transactions 3.5 times
more than domestic transactions.
Source: Cybersource 2009 Online Fraud Report

27.
Online Fraud Statistics 2008
Nilson Report Nov 2008 states:
Ø Over past 10 years the card industry has succeeded in reducing
“opportunity fraud” from lost or stolen
stolen cards, and fraudulent applications;
Ø Opportunity fraud accounted for 21 .07% of total fraud losses suffered in
2007 or $1.17billion;
Ø Counterfeit cards accounted for 33.52 52% of all fraud losses or $1.86billion
in 2007. Counterfeit cards are being produced using
compromised/hacked account data stored by merchants, networks,
processors;
Ø Card­Not­Present fraud amounted to 38.04% of total fraud losses or
$2.11 billion. Five years ago CNP fraud accounted for roughly 25% of
total fraud losses;
Ø Total fraud losses based on the above
above research ­ $5.55 billion

28.
Online Fraud Statistics 2008
In 2008 North America surveyed merchants said:
In 2008 North America surveyed merchants said
Ø Merchants processing > $5million/yr online are employing six or more
million/yr
fraud detection/screening tools and are utilizing more automated decision
systems;
Ø Merchants processing >$100 million/yr online are employing 7.7 fraud
detection/screening tools;
Ø Stolen card numbers are the most popular exploit of online fraudsters.
They try multiple identities, emails, zip codes and details with the same
credit card numbers until they find a combination that makes it past the
fraud and issuer authorisation systems
systems;
Ø Stolen cards are repeatedly “tested”
“tested” by processing small transactions until
the limit is reached or the account blocked. Often this testing is done
across multiple merchant sites;
Ø Without industry data sharing this cannot
cannot be properly tracked.
Source: Cybersource 2009 Online Fraud Reports

29.
Online Fraud Statistics 2008
In 2008 UK/EU surveyed merchants said:
In 2008 UK/EU surveyed merchants said
Ø Efforts to tackle online fraud are being hampered by a lack of
coordination across multiple channels
channels (and cross border cooperation);
Ø Fraudsters are divided into two groups – less sophisticated
“chancers” targeting small merchants with simple techniques; and
sophisticated professionals who are testing defences of larger
merchants in pursuit of significant data or financial rewards;
Ø Lack of consumer education regarding phishing and password
protection is a significant problem; ;
Ø Only 17% of merchants believe the police are effectively tackling
cybercrime citing lack of resources and not following up on significant
“tip­offs” of addresses where they knew fraudsters were located.
Source: Cybersource 2008 Online Fraud Reports

30.
Online Fraud Statistics 2008
• According to the recently published 2008 Identity Fraud Survey issued
by Javelin Strategy and Research 8.1 million Americans were
Research,
victimized by identity fraud – a crime
crime amounting to $45 billion;
• The total average cost of a data breach last year reached $202 per
record, a 2.5% increase since 2007 (the study was conducted by the
Ponemon Institute, a privacy and data data­protection research group);
• Of the average $202 per record cost, $139 was attributable to lost
businesses as a result of the breach
breach;
• Breaches that originated with outsourcing companies, contractors,
consultants, and business partners accounted for 44% of the breach
total, up from 40% in 2007.
• Third­party breaches cost an average of $231 per record, compared
with $179 for breaches originating from within the organization that
owns the data.

31.
Online Fraud Statistics 2008
• The total average cost per company surveyed was more than $6.6
million per breach, up from $6.3 million in 2007 and $4.7 million in
3
2006;
• Javelin reports seeing an increase in “Vishing” which is identity theft
over the phone. Consumers receive an email requesting them call a
given phone number instead of being
being directed to a phishing web site;
• Consumers are told about security warnings of fraudulent activity on
their accounts or plastics;
• Customers are then told to “call the bank back at this number” and
input your account numbers, card details and private information.

33.
Current Fraud Detection Tools
Fraud ‘detection’ tools are those used to identify the probability of risk
associated with an online transaction or to validate the identity of the
purchaser. Results from detection tools are then interpreted by humans
or rules systems to determine if the the transaction should be accepted. The
systems do not guarantee that a fraud will not occur and certainly will
never prevent a chargeback initiated by the consumer. Consumer
behaviour cannot be predicted or prevented
prevented by fraud detection tools.
“Detection Does Not Equal Prevention
Detection Does Not Equal Prevention”

34.
Current Fraud Detection Tools
So How Do You Protect Your
Business?
Business?

35.
Current Fraud Detection Tools
The most popular tools used to assess or gauge online fraud are different
for merchants processing over $25 million USD per annum in sales. The
larger North American merchants use more risk­specific scoring models,
larger North American merchants use more risk
negative and positive lists and sophisticated data sharing tools. They also
spend considerably greater effort on chargeback management.
Company specific fraud screening solutions, external fraud systems and
consumer behaviour models rated the highest in the large merchant
consumer behaviour models rated the highest in the large merchant
category survey.
Source: Cybersource 2009 Online Fraud Reports

37.
Current Fraud Detection Tools
In the UK and Europe the use of online fraud tools trends are different
from that of the USA. Merchants spend considerably more time manually
reviewing transactions and use CVV2, AVS and Verified By
VISA/SecureCode continue to remain the primary automated fraud
solutions.
The fastest growing anti­fraud tool in the past year has been 3
fraud tool in the past year has been 3­D Secure™
due to June 2007 Maestro SecureCode mandate. 71% of UK/EU
merchants now claim to have implemented 3­D Secure™.
merchants now claim to have implemented 3
One significant difference is with the use of IP Geolocation services in the
detection of possible fraud. 48% of North American merchants use IP
of North American merchants use IP
Geolocation, whereas only 23% of European merchants use IP
of European merchants use IP
Geolocation.
Device Fingerprinting has been identified as the top fraud tool to add in
Device Fingerprinting has been identified as the top fraud tool to add in
2009.
Source: Cybersource USA/UK 2008 Online Fraud Reports

40.
Current Fraud Detection Tools
Address Verification Services (AVS):
Ø Address Verification Service is a North American based service whereby
the Card Issuing bank matches the street street and Zip/Postal Code information
entered by the consumer to the information
information held on the bank’s systems;
Ø Issuers DO NOT decline authorisations based on AVS responses – they
Issuers DO NOT decline authorisations based on AVS responses
simply provide the AVS code in the auth response message;
Ø AVS is a North American service and not many international processors or
acquirers support USA AVS verification;
Ø AVS Line 2 scamming is now prevalent making this tool unreliable as a
verification tool – data is bought from card list brokers;
data is bought from card list brokers;
Ø AVS is subject to a significant rate of “false positives” because it can be
fooled into providing a partial match
match AVS score;
Ø Large merchants typically use AVS as a pre­screening service prior to
fulfilling orders.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

42.
Current Fraud Detection Tools Used
Device Based Fingerprinting
Ø Traditional Fraud Service providers are now offering more intelligent
services including PC fingerprinting;
Ø The service determines within whether an online transaction is coming
from a computer that has a history of fraud or abuse;
Ø Could be an issue with virtual devices and dynamic IP addresses/roaming
Ø New technology so not much analysis regarding fraud reduction available
yet
Customer Spending and Behaviour Analysis
Ø Reviewing consumer behaviour, spending patterns and charges provides a
lot of information about your client;
Ø Web site traffic and transactional flows are profiled to watch for and
detect suspicious shopping or surfing behaviour (ie large quantities of
electronics purchased with rapid check out);
Ø Repeat customers have typical patterns of shopping or browsing
behaviour which fall into normal parameters.
behaviour which fall into normal parameters.

43.
Current Fraud Detection Tools Used
Negative Files and Cross Industry Data Sharing
Ø Are based on previous cardholder processing and purchasing information
across multiple merchant and acquirer systems;
Ø Somewhere in history this cardholder has de­frauded a merchant or is an
Somewhere in history this cardholder has de
habitual chargeback offender, which is why they are in the negative
database;
Ø Unfortunately a lot of consumers get placed on the negative file as a
result of someone else’s fraudulent use of their card or deliberately by
merchants competing for consumer transactions;
merchants competing for consumer transactions
Ø Negative files can be very useful if part of an overall data sharing solution.
ETHOCA is an example of a data sharing service that combines decline
data, chargebacks and suspicious transaction information at the card
number level.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

44.
Current Fraud Detection Tools Used
Decision Matrices, Risk Scoring Software and Data Sharing
Ø Determine if a transaction should be be accepted, rejected or suspended for
review based on risk parameters set set up in the fraud system;
Ø Only as good as the data within the risk matrix database which is why
cross­industry sharing is so important
important going forward;
Ø Fraud is dynamic which means the matrices must always be updated
and refreshed with ‘current data’ trends
trends
Ø Fraudsters learn over time and vary their strategies so the systems must
be regularly “tuned”;
Ø Still requires manual review of exception
exception items
Ø They can be expensive for small merchants but worthwhile for larger
merchants who need cross industry information to reduce fraud
exposures.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

47.
Current Fraud Detection Tools Used
ETHOCA Data Sharing
Ø Fraud Reduction – Leveraging ‘Advisory Codes’ such as velocity and data
Leveraging ‘Advisory Codes’ such as velocity and data
inconsistencies (e.g., multiple emails per card) can detect upwards of
30% of card related fraud
Ø Comparing merchants to their industry peers reveals that for some
merchants 10% of rejections are actually good orders
10% of rejections are actually good orders
Ø Link Analysis – Up to 15% of fraud
Up to 15% of fraud that is undetected by traditional
means can be spotted by ‘linking’ common data elements across
multiple merchants and industries
Ø So far over 40 companies/partners now share their transactional data
through ETHOCA including RBS, TigerDirect, British Airways, Emirates
through ETHOCA including RBS, TigerDirect, British Airways, Emirates
Airways, others
Source: Keegan Johnson – CEO ETHOCA

48.
Current Fraud Detection Tools Used
Manual Order Review
Ø Merchants claim they manually review 1 out of every 4 online
transactions;
Ø Used specifically to manage payment fraud;
Ø Must be done in conjunction with other tools like AVS, CVV2 match
checks, internal chargeback analysis etc
Ø One consequence of using multiple automated fraud tools is that more
transactions are flagged up for manual review adding additional work to
back office admin functions;
Ø This requires merchants to divert more ‘qualified’ staff to order review,
increase time to review, improve accuracy of the manual review process
(and train staff to know what to look for);
Ø Merchants report on average they only provide 4­6 weeks of training to
Merchants report on average they only provide 4
review orders!.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

49.
Current Fraud Detection Tools Used
CVV2
Ø CVV2 stands for Card Verification Value;
Ø Consists of the last 3 digits printed on the VISA plastic signature panel
which is not recorded anywhere else on the card;
Ø Is known as CVC2 with MasterCard and CID with AMEX/Discover;
Ø CVV2 can assist a merchant to differentiate between consumers who have
the physical plastic in their possession at the time of the transaction and
those that don’t (but not always);
Ø However CVV2 is only as useful as the Issuer who validates the data and
declines the authorisation based on No Match
No Match responses
Ø Changes in Card Association regs in 2007 now allow merchants to
represent chargebacks for RC 83 if the Issuer does not participate in
CVV2 match checking.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

50.
Current Fraud Detection Tools Used
CVV2
Ø Not all Issuers participate in CVV2 verification, so the presence of CVV2 in
the auth request should not be used to ‘assume’ the cardholder that’s
performing the transaction is in possession of the actual plastic ­
performing the transaction is in possession of the actual plastic unless
the Issuer has replied with a CVV2 Match ‘M’ response;
Ø There are more Issuers now who decline authorisations for CVV2
mismatch – this is encouraging.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

51.
Current Fraud Detection Tools
The real cost of chargebacks:
Ø In 2008 merchants reported that it takes on average 1.8 hours to handle
ONE chargeback (time consumed on research, documentation and
representment);
Ø Over the past 4 years fraud­coded chargebacks (RC23/83) have been
coded
represented successfully between 43 43­53%;
Ø Over 1/3 of merchants surveyed confirm
confirm they dispute 90% of their fraud
chargebacks;
Ø In 2007 large merchants reported 57% of their fraud was RC83
chargebacks. This has dropped to 48 48% in 2008;
Ø Having an efficient representment process enhances the merchant’s
chances of successfully representing
representing a fraud coded chargeback
Ø Friendly­Fraud is on the rise with the
the downturn in the credit markets;
Ø Merchants MUST get diligent with managing
managing this issue or face large fines
and risk losing their merchant account
account.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

52.
Current Fraud Detection Tools
The real cost of chargebacks:
Ø Given the time involved, the administration efforts, fines, penalty fees
merchants are finding it makes more economic sense to encourage
consumers to contact them directly to receive a credit/refund then to
process a chargeback;
Ø If merchants are evaluating fraud losses solely on the basis of RC83
chargebacks, the actual rate of fraud loss is likely 2x higher simply
because of the number of Refunds being processed and consumer
complaints resolved in other ways (ecash
(ecash credits etc);
Ø Implementing Verified By VISA/SecureCode also reduces fraud coded
chargebacks by ‘guaranteeing’ liability shift back to the issuer for
qualifying Reason Codes.
Source: Cybersource USA/UK 2008 Online Fraud Reports

54.
Current Fraud Detection Tools Used
The Payer Authentication Process
Process
Ø Issuers and Acquirers register independently and the service is not inter­
dependent
Ø Issuers can have credit card BINs registered but not their cardholders;
alternatively neither can be enrolled
enrolled ­ this drives the merchant chargeback
liability shift conditions for ‘attempted’
‘attempted’ 3­D Secure requests;
Ø Merchants ONLY have chargeback liability
liability shift rights if BOTH the Acquirer
and the Merchant are registered with VBV/SecureCode – however
chargeback liability shift is not contingent on whether the Issuer or
cardholder participate in 3­D Secure™
Secure™.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

55.
How Does 3­D Secure™ work?
How Does 3
The Payer Authentication Process
Process
Ø VBV is a global service so once Merchants are enrolled by participating
acquirers all VISA transactions can be authenticated with VBV for a
fraction of the cost of other fraud detection
detection services;
Ø Verified By VISA liability shift is guaranteed for ‘attempted’ transaction
authentication (global) even if the cardholder
cardholder is NOT enrolled in VBV with
their Issuer;
Ø If an enrolled VBV Merchant attempts to authenticate the cardholder
through Verified By VISA and either the cardholder and/or their Issuer
doesn’t participate, the transaction is is flagged as an ‘attempt’ (ECI=6) and
these transactions are included in the the liability shift programme for specific
chargeback reason codes (RC23, 83). .
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

56.
How Does 3­D Secure™ Work?
How Does 3
The Payer Authentication Process
Process
Ø th
After June 30 , 2007, online merchants will no longer be able to process
merchants
Maestro debit transactions unless they implement MasterCard
SecureCode™;
Ø MasterCard SecureCode has implemented
implemented merchant­only liability shift in all
Regions except the USA;
Ø This means if a merchant is registered
registered with a participating acquiring bank
in EU, Asia/Pacific, SAMEA, LACR regions
regions and they attempt to authenticate
the cardholder – they have chargeback liability shift protection for
chargeback RC 37 and 63 (if the transaction
transaction is authorised);
Ø USA has not opted into this liability shift on ‘attempted’ SecureCode
transactions yet.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

57.
What are the Problems with 3­D Secure?
What are the Problems with 3
3­D Secure™ Issuer Blocks
Ø In specific countries Issuers are blocking 3­D Secure attempted
transaction requests – those tagged
tagged with an ECI 6 value;
Ø There is compliance that clearly states Issuers can be fined for not
authorising 3­D Secure attempted (ECI 6) transactions however it
doesn’t seem like the enforcement mechanisms are in place to penalize
Issuers;
Ø Mexico Issuers are blocking ECI= authorisation requests; some
ECI=6
banks in Eastern Europe also
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

58.
What are the Problems with 3­D Secure?
What are the Problems with 3
3­D Secure™ Phishing Scams
Ø Consumers are emailed with a Verified By VISA or SecureCode
enrolment request which includes actual
actual language from the VBV or S/C
web sites as well as the same fonts,
fonts, layout and logos;
Ø Consumers either click on a link or are redirected to a site that looks
exactly like their card issuer VBV enrolment
enrolment site;
Ø Ironic that the one programme designed to assist merchants and
consumers with prevention of fraud is in itself a victim of phishing
fraud
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

61.
What are the Problems with 3­D Secure?
What are the Problems with 3
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

62.
VBV Enrolment Phishing Scam
VBV Phishing Scams
• This VBV enrolment phish had already
already targeted 24,011 consumers who
had innocently registered;
• 21,086 VISA BINs and card numbers
numbers were obtained as a result;
• The fraudulent site was tracked to an IP address in Uruguay;
• The scam was locked down by VISA within hours of being reported –
however you can see just how many people were victimized by the
phish;
• The data collected is extremely valuable on the black market for
and online fraud!
identify theft, counterfeit cards and
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

63.
VBV Enrolment Phishing Scam
So why is 3­D Secure phishing so
so “easy” to pull off?
Ø Both Verified By VISA and MasterCard
MasterCard SecureCode online web sites list
every registered Issuer in alphabetical
alphabetical order;
Ø If you select a specific Issuer, the VBV or SecureCode enrolment site
(legitimate one) displays;
Ø This can be recreated by the ‘phishing’ fraudster and within hours
thousands of cardholders are fooled into providing personal
information, card data, PINs, passwords
passwords and bank account numbers;
Ø “Activate the Verified by Visa feature ­ It's easy and only takes a
“Activate the Verified by Visa feature
few moments to activate your card. You can do it right here on the
secure Visa site or when prompted during the checkout process at one
of our participating online merchants. Either way, your information
of our participating online merchants.
is protected.”
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

67.
This is legit VBV registration site
This is legit VBV registration site
Copyright First Atlantic Commerce
Ltd 2009

68.
This is a phishing site
Copyright First Atlantic Commerce
Ltd 2009

69.
Summary – Fraud Detection versus Prevention
Fraud Detection versus Prevention
Fraud ‘detection’ tools are those used to identify the probability of risk
tools are those used to identify the probability of risk
associated with an online transaction. They do not guarantee that a
fraud will not occur and certainly will never prevent a chargeback from
fraud will not occur and certainly will never
being initiated by the consumer.
Fraud ‘prevention’ tools like CVV2 and 3
tools like CVV2 and 3­D Secure do provide
guarantees against fraud coded chargebacks and are fully sponsored
by the Card Associations.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

72.
Summary – Fraud Prevention
Summary
OUR CONCLUSIONS
KNOW YOUR ENEMY – you will then know your customer! Watch for
behaviour patterns that don’t seem
seem “normal” for customers at your site
Implement a face­to­face authentication
authentication system so you can “see” if your
customer is the same as the photo ID they provided. SKYPE is free –
anyone can use it. Why doesn’t the gaming industry verify new clients
by looking directly at them? It seems
seems like a great deterrent to ensuring
criminals don’t register for your sites
sites and therefore reduce your exposure
to fraudulent payment transactions
transactions.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009

73.
Summary – Fraud Prevention
Summary
OUR CONCLUSIONS
Pre­authentication and automated screening services cannot predict
‘human behaviour’ which results in chargebacks. Habitual chargeback
offenders (the “friendly fraud” culprits)
culprits) are aware of this and will use this
excuse over and over again
3­D Secure™ is there to protect online merchants from habitual
chargeback offenders by allowing fraud chargebacks to be represented
under the liability shift guarantees regardless of whether the cardholder
is enrolled or not.
Copyright First Atlantic Commerce
Ltd 2009
Ltd 2009